| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Feb 2021 14:51:26 +0000
From: Luis Henriques <lhenriques@...e.de>
To: Amir Goldstein <amir73il@...il.com>
Cc: Greg KH <gregkh@...uxfoundation.org>,
Jeff Layton <jlayton@...nel.org>,
Nicolas Boichat <drinkcat@...omium.org>,
"Darrick J . Wong" <djwong@...nel.org>,
Alexander Viro <viro@...iv.linux.org.uk>,
Ian Lance Taylor <iant@...gle.com>,
Luis Lozano <llozano@...omium.org>,
Dave Chinner <david@...morbit.com>,
linux-fsdevel <linux-fsdevel@...r.kernel.org>,
linux-kernel <linux-kernel@...r.kernel.org>,
Trond Myklebust <trond.myklebust@...merspace.com>,
Anna Schumaker <Anna.Schumaker@...app.com>,
Miklos Szeredi <miklos@...redi.hu>,
Steve French <sfrench@...ba.org>
Subject: Re: [PATCH 1/6] fs: Add flag to file_system_type to indicate
content is generated
Amir Goldstein <amir73il@...il.com> writes:
> On Mon, Feb 15, 2021 at 2:21 PM Luis Henriques <lhenriques@...e.de> wrote:
>>
>> Luis Henriques <lhenriques@...e.de> writes:
>>
>> > Amir Goldstein <amir73il@...il.com> writes:
>> >
>> >> On Fri, Feb 12, 2021 at 2:40 PM Luis Henriques <lhenriques@...e.de> wrote:
>> > ...
>> >>> Sure, I just wanted to point out that *maybe* there are other options than
>> >>> simply reverting that commit :-)
>> >>>
>> >>> Something like the patch below (completely untested!) should revert to the
>> >>> old behaviour in filesystems that don't implement the CFR syscall.
>> >>>
>> >>> Cheers,
>> >>> --
>> >>> Luis
>> >>>
>> >>> diff --git a/fs/read_write.c b/fs/read_write.c
>> >>> index 75f764b43418..bf5dccc43cc9 100644
>> >>> --- a/fs/read_write.c
>> >>> +++ b/fs/read_write.c
>> >>> @@ -1406,8 +1406,11 @@ static ssize_t do_copy_file_range(struct file *file_in, loff_t pos_in,
>> >>> file_out, pos_out,
>> >>> len, flags);
>> >>>
>> >>> - return generic_copy_file_range(file_in, pos_in, file_out, pos_out, len,
>> >>> - flags);
>> >>> + if (file_inode(file_in)->i_sb != file_inode(file_out)->i_sb)
>> >>> + return -EXDEV;
>> >>> + else
>> >>> + generic_copy_file_range(file_in, pos_in, file_out, pos_out, len,
>> >>> + flags);
>> >>> }
>> >>>
>> >>
>> >> Which kernel is this patch based on?
>> >
>> > It was v5.11-rc7.
>> >
>> >> At this point, I am with Dave and Darrick on not falling back to
>> >> generic_copy_file_range() at all.
>> >>
>> >> We do not have proof of any workload that benefits from it and the
>> >> above patch does not protect from a wierd use case of trying to copy a file
>> >> from sysfs to sysfs.
>> >>
>> >
>> > Ok, cool. I can post a new patch doing just that. I guess that function
>> > do_copy_file_range() can be dropped in that case.
>> >
>> >> I am indecisive about what should be done with generic_copy_file_range()
>> >> called as fallback from within filesystems.
>> >>
>> >> I think the wise choice is to not do the fallback in any case, but this is up
>> >> to the specific filesystem maintainers to decide.
>> >
>> > I see what you mean. You're suggesting to have userspace handle all the
>> > -EOPNOTSUPP and -EXDEV errors. Would you rather have a patch that also
>> > removes all the calls to generic_copy_file_range() function? And that
>> > function can also be deleted too, of course.
>>
>> Here's a first stab at this patch. Hopefully I didn't forgot anything
>> here. Let me know if you prefer the more conservative approach, i.e. not
>> touching any of the filesystems and let them use generic_copy_file_range.
>>
>
> I'm fine with this one (modulu my comment below).
> CC'ing fuse/cifs/nfs maintainers.
> Though I don't think the FS maintainers should mind removing the fallback.
> It was added by "us" (64bf5ff58dff "vfs: no fallback for ->copy_file_range()")
Thanks for your review, Amir. I'll be posting v2 shortly.
Cheers,
--
Luis
>> Once everyone agrees on the final solution, I can follow-up with the
>> manpages update.
>>
>> Cheers,
>> --
>> Luis
>>
>> From e1b37e80b12601d56f792bd19377d3e5208188ef Mon Sep 17 00:00:00 2001
>> From: Luis Henriques <lhenriques@...e.de>
>> Date: Fri, 12 Feb 2021 18:03:23 +0000
>> Subject: [PATCH] vfs: prevent copy_file_range to copy across devices
>>
>> Nicolas Boichat reported an issue when trying to use the copy_file_range
>> syscall on a tracefs file. It failed silently because the file content is
>> generated on-the-fly (reporting a size of zero) and copy_file_range needs
>> to know in advance how much data is present.
>>
>> This commit effectively reverts 5dae222a5ff0 ("vfs: allow copy_file_range to
>> copy across devices"). Now the copy is done only if the filesystems for source
>> and destination files are the same and they implement this syscall.
>
> This paragraph is not true and confusing.
> This is not a revert and it does not revert the important part of cross-fs copy
> for which the original commit was for.
> Either rephrase this paragraph or remove it.
>
>>
>> Fixes: 5dae222a5ff0 ("vfs: allow copy_file_range to copy across devices")
>
> Please add a Link: to this discussion in lore.
>
>> Cc: Nicolas Boichat <drinkcat@...omium.org>
>> Signed-off-by: Luis Henriques <lhenriques@...e.de>
>> ---
>> fs/ceph/file.c | 21 +++------------
>> fs/cifs/cifsfs.c | 3 ---
>> fs/fuse/file.c | 21 +++------------
>> fs/nfs/nfs4file.c | 20 +++-----------
>> fs/read_write.c | 65 ++++++++--------------------------------------
>> include/linux/fs.h | 3 ---
>> 6 files changed, 20 insertions(+), 113 deletions(-)
>>
>> diff --git a/fs/ceph/file.c b/fs/ceph/file.c
>> index 209535d5b8d3..639bd7bfaea9 100644
>> --- a/fs/ceph/file.c
>> +++ b/fs/ceph/file.c
>> @@ -2261,9 +2261,9 @@ static ssize_t ceph_do_objects_copy(struct ceph_inode_info *src_ci, u64 *src_off
>> return bytes;
>> }
>>
>> -static ssize_t __ceph_copy_file_range(struct file *src_file, loff_t src_off,
>> - struct file *dst_file, loff_t dst_off,
>> - size_t len, unsigned int flags)
>> +static ssize_t ceph_copy_file_range(struct file *src_file, loff_t src_off,
>> + struct file *dst_file, loff_t dst_off,
>> + size_t len, unsigned int flags)
>> {
>> struct inode *src_inode = file_inode(src_file);
>> struct inode *dst_inode = file_inode(dst_file);
>> @@ -2456,21 +2456,6 @@ static ssize_t __ceph_copy_file_range(struct file *src_file, loff_t src_off,
>> return ret;
>> }
>>
>> -static ssize_t ceph_copy_file_range(struct file *src_file, loff_t src_off,
>> - struct file *dst_file, loff_t dst_off,
>> - size_t len, unsigned int flags)
>> -{
>> - ssize_t ret;
>> -
>> - ret = __ceph_copy_file_range(src_file, src_off, dst_file, dst_off,
>> - len, flags);
>> -
>> - if (ret == -EOPNOTSUPP || ret == -EXDEV)
>> - ret = generic_copy_file_range(src_file, src_off, dst_file,
>> - dst_off, len, flags);
>> - return ret;
>> -}
>> -
>> const struct file_operations ceph_file_fops = {
>> .open = ceph_open,
>> .release = ceph_release,
>> diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
>> index e46da536ed33..8b869cc67443 100644
>> --- a/fs/cifs/cifsfs.c
>> +++ b/fs/cifs/cifsfs.c
>> @@ -1229,9 +1229,6 @@ static ssize_t cifs_copy_file_range(struct file *src_file, loff_t off,
>> len, flags);
>> free_xid(xid);
>>
>> - if (rc == -EOPNOTSUPP || rc == -EXDEV)
>> - rc = generic_copy_file_range(src_file, off, dst_file,
>> - destoff, len, flags);
>> return rc;
>> }
>>
>> diff --git a/fs/fuse/file.c b/fs/fuse/file.c
>> index 8cccecb55fb8..0dd703278e49 100644
>> --- a/fs/fuse/file.c
>> +++ b/fs/fuse/file.c
>> @@ -3330,9 +3330,9 @@ static long fuse_file_fallocate(struct file *file, int mode, loff_t offset,
>> return err;
>> }
>>
>> -static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in,
>> - struct file *file_out, loff_t pos_out,
>> - size_t len, unsigned int flags)
>> +static ssize_t fuse_copy_file_range(struct file *file_in, loff_t pos_in,
>> + struct file *file_out, loff_t pos_out,
>> + size_t len, unsigned int flags)
>> {
>> struct fuse_file *ff_in = file_in->private_data;
>> struct fuse_file *ff_out = file_out->private_data;
>> @@ -3439,21 +3439,6 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in,
>> return err;
>> }
>>
>> -static ssize_t fuse_copy_file_range(struct file *src_file, loff_t src_off,
>> - struct file *dst_file, loff_t dst_off,
>> - size_t len, unsigned int flags)
>> -{
>> - ssize_t ret;
>> -
>> - ret = __fuse_copy_file_range(src_file, src_off, dst_file, dst_off,
>> - len, flags);
>> -
>> - if (ret == -EOPNOTSUPP || ret == -EXDEV)
>> - ret = generic_copy_file_range(src_file, src_off, dst_file,
>> - dst_off, len, flags);
>> - return ret;
>> -}
>> -
>> static const struct file_operations fuse_file_operations = {
>> .llseek = fuse_file_llseek,
>> .read_iter = fuse_file_read_iter,
>> diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c
>> index 57b3821d975a..60998209e310 100644
>> --- a/fs/nfs/nfs4file.c
>> +++ b/fs/nfs/nfs4file.c
>> @@ -133,9 +133,9 @@ nfs4_file_flush(struct file *file, fl_owner_t id)
>> }
>>
>> #ifdef CONFIG_NFS_V4_2
>> -static ssize_t __nfs4_copy_file_range(struct file *file_in, loff_t pos_in,
>> - struct file *file_out, loff_t pos_out,
>> - size_t count, unsigned int flags)
>> +static ssize_t nfs4_copy_file_range(struct file *file_in, loff_t pos_in,
>> + struct file *file_out, loff_t pos_out,
>> + size_t count, unsigned int flags)
>> {
>> struct nfs42_copy_notify_res *cn_resp = NULL;
>> struct nl4_server *nss = NULL;
>> @@ -189,20 +189,6 @@ static ssize_t __nfs4_copy_file_range(struct file *file_in, loff_t pos_in,
>> return ret;
>> }
>>
>> -static ssize_t nfs4_copy_file_range(struct file *file_in, loff_t pos_in,
>> - struct file *file_out, loff_t pos_out,
>> - size_t count, unsigned int flags)
>> -{
>> - ssize_t ret;
>> -
>> - ret = __nfs4_copy_file_range(file_in, pos_in, file_out, pos_out, count,
>> - flags);
>> - if (ret == -EOPNOTSUPP || ret == -EXDEV)
>> - ret = generic_copy_file_range(file_in, pos_in, file_out,
>> - pos_out, count, flags);
>> - return ret;
>> -}
>> -
>> static loff_t nfs4_file_llseek(struct file *filep, loff_t offset, int whence)
>> {
>> loff_t ret;
>> diff --git a/fs/read_write.c b/fs/read_write.c
>> index 75f764b43418..87bf9efd7f71 100644
>> --- a/fs/read_write.c
>> +++ b/fs/read_write.c
>> @@ -1358,58 +1358,6 @@ COMPAT_SYSCALL_DEFINE4(sendfile64, int, out_fd, int, in_fd,
>> }
>> #endif
>>
>> -/**
>> - * generic_copy_file_range - copy data between two files
>> - * @file_in: file structure to read from
>> - * @pos_in: file offset to read from
>> - * @file_out: file structure to write data to
>> - * @pos_out: file offset to write data to
>> - * @len: amount of data to copy
>> - * @flags: copy flags
>> - *
>> - * This is a generic filesystem helper to copy data from one file to another.
>> - * It has no constraints on the source or destination file owners - the files
>> - * can belong to different superblocks and different filesystem types. Short
>> - * copies are allowed.
>> - *
>> - * This should be called from the @file_out filesystem, as per the
>> - * ->copy_file_range() method.
>> - *
>> - * Returns the number of bytes copied or a negative error indicating the
>> - * failure.
>> - */
>> -
>> -ssize_t generic_copy_file_range(struct file *file_in, loff_t pos_in,
>> - struct file *file_out, loff_t pos_out,
>> - size_t len, unsigned int flags)
>> -{
>> - return do_splice_direct(file_in, &pos_in, file_out, &pos_out,
>> - len > MAX_RW_COUNT ? MAX_RW_COUNT : len, 0);
>> -}
>> -EXPORT_SYMBOL(generic_copy_file_range);
>> -
>> -static ssize_t do_copy_file_range(struct file *file_in, loff_t pos_in,
>> - struct file *file_out, loff_t pos_out,
>> - size_t len, unsigned int flags)
>> -{
>> - /*
>> - * Although we now allow filesystems to handle cross sb copy, passing
>> - * a file of the wrong filesystem type to filesystem driver can result
>> - * in an attempt to dereference the wrong type of ->private_data, so
>> - * avoid doing that until we really have a good reason. NFS defines
>> - * several different file_system_type structures, but they all end up
>> - * using the same ->copy_file_range() function pointer.
>> - */
>> - if (file_out->f_op->copy_file_range &&
>> - file_out->f_op->copy_file_range == file_in->f_op->copy_file_range)
>> - return file_out->f_op->copy_file_range(file_in, pos_in,
>> - file_out, pos_out,
>> - len, flags);
>> -
>> - return generic_copy_file_range(file_in, pos_in, file_out, pos_out, len,
>> - flags);
>
> Please do not remove the big comment above - it is there for a reason.
>
> The case of !file_out->f_op->copy_file_range should return -EOPNOTSUPP
> because the outcome of -EXDEV for copy to/from the same fs is confusing.
>
> Either leave this helper and only remove generic_copy_file_range() or
> open code the same logic (including comment) in the caller.
>
>> -}
>> -
>> /*
>> * Performs necessary checks before doing a file copy
>> *
>> @@ -1474,6 +1422,14 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
>> {
>> ssize_t ret;
>>
>> + /*
>> + * Allow the copy only if the filesystems for file_in and file_out are
>> + * the same, and copy_file_range is implemented.
>> + */
>
> This comment is wrong. See the big fat comment above to understand why.
> Also this check is in the wrong place because it misses the case of
> file_in->f_op->remap_file_range && !file_out->f_op->copy_file_range
>
> As I wrote above either leave the helper do_copy_file_range() or open
> code it in its current location.
>
>> + if (!file_out->f_op->copy_file_range ||
>> + (file_out->f_op->copy_file_range != file_in->f_op->copy_file_range))
>> + return -EXDEV;
>> +
>> if (flags != 0)
>> return -EINVAL;
>>
>> @@ -1513,8 +1469,9 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
>> }
>> }
>>
>> - ret = do_copy_file_range(file_in, pos_in, file_out, pos_out, len,
>> - flags);
>> + ret = file_out->f_op->copy_file_range(file_in, pos_in,
>> + file_out, pos_out,
>> + len, flags);
>> WARN_ON_ONCE(ret == -EOPNOTSUPP);
>
> Please remove this line.
> filesystem ops can now return -EOPNOTSUPP.
>
> Thanks,
> Amir.
Powered by blists - more mailing lists